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Dated: 19 October 2020 
Subject: IAB Europe Comments On Belgian DPA Report 
Dear TCF registered Vendors & CMPs, 


This communication is to provide you with information about a report sent to IAB Europe by 
the Belgian DPA (the Autorité pour la Protection des Données, or APD) last Tuesday. 


The report is not a final ruling, and the APD has not "found the TCF to breach the 
GDPR", as headlines last week suggested. It is an interim document representing 
conclusions of the APD's “Inspection Service” following an investigation the Service 
conducted during 2019 and 2020. The investigation related to IAB Europe's website and to 
claims made in eight complaints about the TCF and OpenRTB that were submitted to the 
APD during 2019. Each of the complaints had cited a report issued by Dr. Johnny Ryan in 
2018 in support of complaints he lodged with the UK and Irish DPAs. 


The Inspectorate's conclusions, as contained in the report, are now being transferred to the 
APD's Litigation Chamber. The Litigation Chamber will issue a ruling some time next year. 


Please be assured that the report does not impact or affect current operations of the 
TCF. 


Summary of conclusions 

The report comes to the novel conclusion that IAB Europe is acting as a data controller (or 
co-controller) in the context of the TCF. This conclusion is based on the following 
considerations: 


e TCF imposes mandatory rules 

e TCF participation is subject to payment 

e IAB Europe is the Managing Organisation 

e IAB Europe mandates a list of data processing purposes (ref. list of purposes) 

e IAB Europe determines des means of processing (ref. Policies for CMPs, Vendors) 
e IAB Europe controls compliance, namely through its Terms and Conditions. 


As you will recall, the College of German State DPAs concluded in 2019 that IAB Europe was 
not a controller in the context of the TCF. But as there is neither a CJEU ruling nor a 
European Data Protection Board decision ratifying that interpretation, the APD is free to 
assert a conflicting one. 


With respect to the TCF, the report cites the following "findings": 


e The TCF incorrectly places the responsibility for providing fairness and transparency 
to users on CMPs and publishers, whereas IAB Europe (as a co-controller?) should 
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have a share of the responsibility. As we would contest the interpretation according 
to which IAB Europe acts as a controller in the context of the TCF, we would contest 
this finding. 

e TCF/IAB Europe encourages use of legitimate interests for data processing for 
profiling and personalisation. The APD believes that legitimate interests is not an 
acceptable legal basis for profiling. Moreover, even if it were, the APD notes that 
there is no evidence that IAB Europe (as a co-controller in the TCF context?) has 
performed any balancing test, which it is required to do as a condition for leveraging 
legitimate interests. Again, as we contest the interpretation that we are a co- 
controller, no balancing test is necessary. And legitimate interests is an available legal 
basis for personalisation under the GDPR, as long as data controllers do perform the 
balancing test. 

e Data controllers are using the TCF to process special category data, despite the TCF 
not providing adequate rules for such processing. APD notes that this is illegal due to 
processing of special category data requiring "explicit consent", rather than the 
“unambiguous consent" facilitated by the TCF. The report ignores the fact that the 
TCF Policies specifically exclude using the Framework to process special category 
data. 

e The TCF (and IAB Europe as a co-controller) breaches the GDPR's Articles 24 and 32 
(on responsibility of the data controller and security of processing, respectively) 
because the v2 Policies allow CMPs to continue to transact with publishers whom 
they suspect of engaging in behaviour that breaches the Policies and/or applicable 
EU law. The report ignores the fact that CMPs are REQUIRED to alert the MO of such 
suspicions, and may not execute any instruction from a publisher that infringes the 
TCF Policies. 


IAB Europe public statement 
On Friday, we posted a public statement on our website that may be accessed here. 


APD process and next steps 

We have been given a deadline of 7th December to respond in writing to the report. The 
parties that submitted the complaints may review our submission and make their own 
further submissions by 11 January. We will then have until 15 February to submit a counter- 
response. Should a decision by the Litigation Chamber go against IAB Europe, we would 
have the possibility of lodging an appeal with the relevant Belgian court. Interestingly, we 
believe that we would have some scope to require either the Litigation Chamber or the 
relevant Belgian court to request a preliminary ruling by the CJEU (for example, on the data 
controller item). 


The report is difficult to follow (it is not clear in places whether the conduct being referenced 
relates to the IAB Europe website or the TCF), and provides little substantiation for its 
assertions beyond lengthy citations of Article 29 Working Party Opinions and best-practice 
recommendations. This said, we do not discount or underestimate the damage that an 
authority that for whatever reason is determined to discredit the TCF and the digital 
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advertising industry can do, regardless of the merits of the charges being brought. 


Please reach out to framework@iabeurope.eu if you have any further questions. We will keep 
you updated on any developments. 


Best, 


Townsend Feehan | CEO | IAB Europe 
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